Google Researcher: Activists Targeted by Corporate-Made Malware

By Robert Lemos |
Posted 2012-10-11

A report by a Google researcher has connected commercially-made malware with attacks on Middle East dissidents, an increasingly common occurrence that has fueled controversy over the selling and buying of information on software flaws.

A human-rights activist based in the United Arab Emirates has become the latest victim of such an attack, this time using malware known as Crisis, which appears to be a program sold by the Italian firm Hacking Team, according to a report posted on Sept. 10 by the University of Toronto's CitizenLab and authored by Google researcher Morgan Marquis-Boire. Crisis, also known as DaVinci, was originally discovered by antivirus firms in July and noted for its ability to infect computers running either Microsoft Windows or Apple Mac OS X as well as its focus on spreading to virtual machine instances.

In leaked product literature, Hacking Team refers to the Trojan as the Remote Control System (RCS).

Such discoveries have led to criticism of the targeting of activists and dissidents with what appears to be a rapidly evolving plethora of spyware and cyber-weapons, activities enabled by an increasing trade in information on vulnerabilities and ways to exploit them.

"As long as these companies believe that it is okay to sell this technology to dictators, democracy activists, human rights activists, bloggers, and journalists around the world will continue to suffer," the Electronic Frontier Foundation stated in a policy post earlier this year.

In the latest analysis, CitizenLab—part of the Munk School of Global Affairs at the University of Toronto—found that an attack on activist Ahmed Mansoor used the Crisis tool to exploit a vulnerability discovered by French offensive cyber-security firm VUPEN. The monitoring program was configured to send information to servers hosted by the Royal Group, a corporation based in the UAE. VUPEN has denied selling the details of the flaw.

The attacks show that dissidents and activists will be at a disadvantage against governments that use state-of-the-art software and offensive cyber-tools, the CitizenLab report stated.

"Targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness," Marquis-Boire stated in the report.

In July, Citizen Lab worked with pro-democracy activists and journalists to uncover details about a mysterious piece of malware known as FinFisher, which proved to be spyware made by U.K. firm Gamma International and sold to government clients. Signs of the malware were detected in 10 other countries, including the United States, Australia and Indonesia, according to additional research done by security firm Rapid7.

The EFF has called for companies dealing in offensive digital technology to "know their customer," in the same way the government has called on banks and other companies to deal with potential financial crimes and terrorists. The problem is that these technologies are dual use: They can be used for wiretapping criminals, as well as used by a repressive regime against its detractors, said Bruce Snell, director of technical marketing at McAfee, a subsidiary of Intel.

"The big issue here is that we have to rely on these organizations doing these things to follow the rules," said Snell. "And when we are dealing with other countries, we cannot hold them accountable. That is not our job."

McAfee, like other security software firms, does not bend its rules for detecting potentially government-sanctioned malware. Discriminating between what is a legal and appropriate use of the technology is too difficult. Instead, it detects all malware, regardless of use or source.